openec2 Article Description
Configure Postfix – Amazon AWS Linux 2023
IMPORTANT NOTES:
Debian needs:
apt install libsasl2-modules
And no need to edit master.cf
You also need the sasl_passwd file and hash.
This uses the smtp credentials.
See: https://docs.aws.amazon.com/ses/latest/dg/postfix.html
You need: (if not already, and your regions email such as Oregon for Australia – I think you could get a local region out of sandbox?)
postconf -e “relayhost = [email-smtp.us-west-2.amazonaws.com]:587” \
“smtp_sasl_auth_enable = yes” \
“smtp_sasl_security_options = noanonymous” \
“smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd” \
“smtp_use_tls = yes” \
“smtp_tls_security_level = secure” \
“smtp_tls_note_starttls_offer = yes”
master.cf needs this line commented out if present: -o smtp_fallback_relay=
Edit /etc/postfix/sasl_passwd:[email-smtp.us-west-2.amazonaws.com]:587 SMTPUSERNAME:SMTPPASSWORD. –> this is from your account’s smtp credentials for the region you are using.
postmap hash:/etc/postfix/sasl_passwd
chown root:root /etc/postfix/sasl_passwd /etc/postfix/sasl_passwd.db
chmod 0600 /etc/postfix/sasl_passwd /etc/postfix/sasl_passwd.db
If not present in the main.cf file:
postconf -e ‘smtp_tls_CAfile = /etc/ssl/certs/ca-bundle.crt’. –> for AWS Linux
postconf -e ‘smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt’. –> for Debian
(You can check the existence of the above files and choose one)
Restart and check the status of postfix, and do a test:
sendmail -f sender@example.com recipient@example.com
From: Sender Name
Subject: Amazon SES Test
This message was sent using Amazon SES.
.
mailq
If mailq is not empty there is an issue
Check the entries in /var/log/mail.log
This is a straightforward configuration, and does not need to edit /etc/postfix/master.cf, only main.cf
You add port 587 to the EC2 Security Group.
You can modify limits.sh (Scripts – Part 2 – Bits and Pieces) to have port 587 – must be done to stop hackers opening port 587 and flooding it by not closing it.
You can use dnf install postfix for Linux 2023. (apt install for debian11)
The configs for /etc/postfix/main.cf are different to Linux 2023 – see the link here:
The postconf command below is to make things easier for us, but Debian’s main.cf file would need manual editing, not postconf.
When you test with sendmail, your logs are /var/log/mail.log – you can “tail -f” the file to see what is going on.
If you have an authorised email address, you could use something like this to test:
sendmail -f me@gmail.com me@gmail.com
I like to keep postfix in a stopped state, unless a shell script I write wants to send me an email – such as the web service being down, but you can use UptimeRobot for that on the web. The script can start postfix, send the email, then stop it.
A crontab script could reload postfix (refer to “man postfix”) once anight if you do want to keep it in a started state.
Configuring Postfix – we use this to send internal emails.
You will have previously installed DNF packages as per the Installation of Linux 2023 article.
cd /etc/postfix
Add the following lines to a new file sasl_passwd, using the square brackets as shown and the e-mail region. I use Oregon. There is no e-mail region in Australia.
You will have previously created SMTP credentials from the SES console. Use these where it says SMTPUSERNAME:SMTPPASSWORD below.
cd /etc/postfix vi sasl_passwd [email-smtp.us-west-2.amazonaws.com]:587 SMTPUSERNAME:SMTPPASSWORD [save and exit - use the square brackets as shown above] systemctl stop postfix;systemctl disable postfix;ps -ef|grep postfix postconf -e "relayhost = [email-smtp.us-west-2.amazonaws.com]:587" \ "smtp_sasl_auth_enable = yes" \ "smtp_sasl_security_options = noanonymous" \ "smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd" \ "smtp_use_tls = yes" \ "smtp_tls_security_level = encrypt" \ "smtp_tls_note_starttls_offer = yes" [Enter the above lines with the \ then press RETURN KEY to execute them. Remember, these lines show Oregon as the region. If you use North Virginia you would need that region.] [Modify the file further. To get the value of YYYYYYY, use mxtoolbox.com > SuperTool > (enter the IP address of domain.au) and select Reverse Pointer (PTR). And do not have duplicate entries for the certificate. systemctl restart postfix and systemctl status postfix -l will show any errors. We also have the mail.log file to help. Use your own domain for the certificates below. We use intet_interfaces = localhost as we are not sending out emails to the world. We will only forward incoming emails to an S3 bucket, and from there we could use "mutt" to forward emails from external people and attachments.] vi /etc/postfix/main.cf smtpd_tls_cert_file = /etc/pki/tls/certs/domain_au.crt smtpd_tls_key_file = /etc/pki/tls/private/domain_au.key myhostname = domain.au mydomain = domain.au myorigin = $mydomain inet_interfaces = localhost mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain smtpd_banner = YYYYYYYY.ap-southeast-2.compute.amazonaws.com ESMTP domain.au postfix smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks, reject_unauth_destination smtpd_relay_restrictions = reject_unauth_destination maillog_file = /var/log/mail.log smtpd_tls_loglevel = 3 [save and exit] postmap hash:/etc/postfix/sasl_passwd chmod 0600 /etc/postfix/sasl_passwd /etc/postfix/sasl_passwd.db postfix start; sudo postfix reload; postfix flush mailq [Now do a test e-mail, then disable postfix for security reasons and only call it from shell scripts] sendmail -f admin@mydomain.au admin@mydomain.au From: admin <admin@mydomain.au> Subject: Postfix Test This is a test message from AWS Postfix and SES . mailq [It should have sent without errors. If not, clean up the /var/log and fix the error. If you are in sandbox mode, use the verified email address you created in SES, and check your DNS records. It could also be you see errors in Cloudwatch logs in Oregon region if you perhaps made mistakes in your Lambda or SES setups. These details are as per a spearate article.] systemctl disable postfix postfix stop [We stop postfix for security. We can use it in our shell scripts to send alerts.]
If you have connected your domain to MS Exchange, then the above postfix configurations need modifications.
sasl_passwd uses something like this, if your domain was domain.au:
[domain-au.mail.protection.outlook.com]:25 me@domain.au:PASSWORD
Then hash the file as above with postmap.
Then modify /etc/postfix/main.cf and restart the service.
smtp_tls_security_level = may [make sure you have your certificates listed, e.g. smtpd_tls_cert_file = /etc/pki/tls/certs/domain_au.crt smtpd_tls_key_file = /etc/pki/tls/private/domain_au.key if using Comodo type certificates for domain.au] relayhost = [domain-au.mail.protection.outlook.com]:25 [where this is a copy of your DNS entry in Route53 (or wherever) and we use port 25 only.] [Then test like this after systemctl stop postfix; systemctl start postfix; where me@domainau is your primary or alias in MS Exchange.] sendmail -f me@doman.au me@domain.au From: me@domain.au Subject: postfix test This is a postfix test . [then check:] mailq cat /var/log/mail.log [you may need to view it a few times if timeouts are involved etc.]
You can now send emails from shell scripts. This does no effect the WordPress contact form setups that use the SMTP Mail Plugin’s “Other SMPT”
settings going through the AWS SES relay without MS Exchange involved.